rodauth 1.14.0 → 1.15.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG +4 -0
- data/MIT-LICENSE +1 -1
- data/doc/change_password_notify.rdoc +0 -10
- data/doc/create_account.rdoc +3 -0
- data/doc/release_notes/1.15.0.txt +21 -0
- data/doc/verify_account.rdoc +3 -0
- data/lib/rodauth/features/create_account.rb +13 -10
- data/lib/rodauth/features/verify_account.rb +37 -13
- data/lib/rodauth/version.rb +1 -1
- data/spec/verify_account_spec.rb +45 -0
- data/templates/create-account.str +2 -2
- data/templates/verify-account.str +2 -0
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d3c6bdb8caddbc1197f6af32fffb55ed7f1f66b088849893ee01dd2584ca10ac
|
|
4
|
+
data.tar.gz: 429057d63aba07108ff8e7df142509c8c4459db6ddda89cd1869b82b2ab0c6e4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cceea61e53481439c655ad641a1b417200e65802996ce9ee99b03d1626a928dc073f5b96225e904b1c971407c0a96c05305a974a7f25f45199d78b2f9d612c7c
|
|
7
|
+
data.tar.gz: 05a840ba64a93b8f80e4dc58c52129b9720fa2f8ab80c7d4011dc5e0880f74818264af5ffc5ca995bc06255ab75fd8a187696d15fa1ff1024b2f01dc92305fd6
|
data/CHANGELOG
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
=== 1.15.0 (2018-01-29)
|
|
2
|
+
|
|
3
|
+
* Add create_account_set_password? and verify_account_set_password? methods to delay setting password until account verification (jeremyevans)
|
|
4
|
+
|
|
1
5
|
=== 1.14.0 (2017-12-19)
|
|
2
6
|
|
|
3
7
|
* Don't allow unlocking expired accounts when using account_expiration and lockout features (jeremyevans)
|
data/MIT-LICENSE
CHANGED
|
@@ -2,16 +2,6 @@
|
|
|
2
2
|
|
|
3
3
|
The change password notify feature emails the user when their password
|
|
4
4
|
is changed using the change password feature.
|
|
5
|
-
auth_value_method :password_changed_email_subject, 'Password Changed'
|
|
6
|
-
|
|
7
|
-
auth_value_methods(
|
|
8
|
-
:password_changed_email_body
|
|
9
|
-
)
|
|
10
|
-
auth_methods(
|
|
11
|
-
:create_password_changed_email,
|
|
12
|
-
:send_password_changed_email
|
|
13
|
-
)
|
|
14
|
-
|
|
15
5
|
|
|
16
6
|
== Auth Value Methods
|
|
17
7
|
|
data/doc/create_account.rdoc
CHANGED
|
@@ -14,6 +14,9 @@ create_account_notice_flash :: The flash notice to show after successful
|
|
|
14
14
|
create_account_redirect :: Where to redirect after creating the account.
|
|
15
15
|
create_account_route :: The route to the create account action. Defaults to
|
|
16
16
|
+create-account+.
|
|
17
|
+
create_account_set_password? :: Whether to ask for a password to be set on the create
|
|
18
|
+
account form. Defaults to true. If set to false, an
|
|
19
|
+
alternative method to set the password should be used.
|
|
17
20
|
|
|
18
21
|
== Auth Methods
|
|
19
22
|
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
= New Features
|
|
2
|
+
|
|
3
|
+
* create_account_set_password? and verify_account_set_password?
|
|
4
|
+
configuration methods have been added to the create_account and
|
|
5
|
+
verify_account features. Setting:
|
|
6
|
+
|
|
7
|
+
verify_account_set_password? true
|
|
8
|
+
|
|
9
|
+
in your rodauth configuration will change Rodauth so that instead
|
|
10
|
+
of asking for a password on the create account form, it will ask for
|
|
11
|
+
a password on the verify account form.
|
|
12
|
+
|
|
13
|
+
This can fix a possible issue where an attacker creates an account
|
|
14
|
+
for a user with a password the attacker knows. If the user clicks
|
|
15
|
+
on the link in the verify account email and clicks on the button on
|
|
16
|
+
the verify account page, the attacker would have have a verified
|
|
17
|
+
account that they know the password to.
|
|
18
|
+
|
|
19
|
+
By setting verify_account_set_password? to true, you can ensure that
|
|
20
|
+
only the user who has access to the email can enter the password for
|
|
21
|
+
the account.
|
data/doc/verify_account.rdoc
CHANGED
|
@@ -45,6 +45,9 @@ verify_account_resend_route :: The route to the verify account resend action.
|
|
|
45
45
|
verify_account_route :: The route to the verify account action. Defaults to
|
|
46
46
|
+verify-account+.
|
|
47
47
|
verify_account_session_key :: The key in the session to hold the verify account key temporarily.
|
|
48
|
+
verify_account_set_password? :: Whether to ask for a password to be set on the verify account
|
|
49
|
+
form. Defaults to false. If set to true, will automatically
|
|
50
|
+
stop asking for passwords to be set on the create account form.
|
|
48
51
|
verify_account_table :: The name of the verify account keys table.
|
|
49
52
|
|
|
50
53
|
== Auth Methods
|
|
@@ -16,6 +16,7 @@ module Rodauth
|
|
|
16
16
|
redirect
|
|
17
17
|
|
|
18
18
|
auth_value_method :create_account_autologin?, true
|
|
19
|
+
auth_value_method :create_account_set_password?, true
|
|
19
20
|
|
|
20
21
|
auth_value_methods :create_account_link
|
|
21
22
|
|
|
@@ -41,10 +42,6 @@ module Rodauth
|
|
|
41
42
|
password = param(password_param)
|
|
42
43
|
new_account(login)
|
|
43
44
|
|
|
44
|
-
if account_password_hash_column
|
|
45
|
-
set_new_account_password(param(password_param))
|
|
46
|
-
end
|
|
47
|
-
|
|
48
45
|
catch_error do
|
|
49
46
|
if require_login_confirmation? && login != param(login_confirm_param)
|
|
50
47
|
throw_error_status(unmatched_field_error_status, login_param, logins_do_not_match_message)
|
|
@@ -54,12 +51,18 @@ module Rodauth
|
|
|
54
51
|
throw_error_status(invalid_field_error_status, login_param, login_does_not_meet_requirements_message)
|
|
55
52
|
end
|
|
56
53
|
|
|
57
|
-
if
|
|
58
|
-
|
|
59
|
-
|
|
54
|
+
if create_account_set_password?
|
|
55
|
+
if require_password_confirmation? && password != param(password_confirm_param)
|
|
56
|
+
throw_error_status(unmatched_field_error_status, password_param, passwords_do_not_match_message)
|
|
57
|
+
end
|
|
60
58
|
|
|
61
|
-
|
|
62
|
-
|
|
59
|
+
unless password_meets_requirements?(password)
|
|
60
|
+
throw_error_status(invalid_field_error_status, password_param, password_does_not_meet_requirements_message)
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
if account_password_hash_column
|
|
64
|
+
set_new_account_password(password)
|
|
65
|
+
end
|
|
63
66
|
end
|
|
64
67
|
|
|
65
68
|
transaction do
|
|
@@ -68,7 +71,7 @@ module Rodauth
|
|
|
68
71
|
throw_error_status(invalid_field_error_status, login_param, login_does_not_meet_requirements_message)
|
|
69
72
|
end
|
|
70
73
|
|
|
71
|
-
|
|
74
|
+
if create_account_set_password? && !account_password_hash_column
|
|
72
75
|
set_password(password)
|
|
73
76
|
end
|
|
74
77
|
after_create_account
|
|
@@ -32,8 +32,7 @@ module Rodauth
|
|
|
32
32
|
auth_value_method :verify_account_id_column, :id
|
|
33
33
|
auth_value_method :verify_account_key_column, :key
|
|
34
34
|
auth_value_method :verify_account_session_key, :verify_account_key
|
|
35
|
-
|
|
36
|
-
auth_value_methods :verify_account_resend_link
|
|
35
|
+
auth_value_method :verify_account_set_password?, false
|
|
37
36
|
|
|
38
37
|
auth_methods(
|
|
39
38
|
:allow_resending_verify_account_email?,
|
|
@@ -108,20 +107,40 @@ module Rodauth
|
|
|
108
107
|
redirect verify_account_redirect
|
|
109
108
|
end
|
|
110
109
|
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
110
|
+
catch_error do
|
|
111
|
+
if verify_account_set_password?
|
|
112
|
+
password = param(password_param)
|
|
113
|
+
|
|
114
|
+
if require_password_confirmation? && password != param(password_confirm_param)
|
|
115
|
+
throw_error_status(unmatched_field_error_status, password_param, passwords_do_not_match_message)
|
|
116
|
+
end
|
|
117
|
+
|
|
118
|
+
unless password_meets_requirements?(password)
|
|
119
|
+
throw_error_status(invalid_field_error_status, password_param, password_does_not_meet_requirements_message)
|
|
120
|
+
end
|
|
121
|
+
end
|
|
122
|
+
|
|
123
|
+
transaction do
|
|
124
|
+
before_verify_account
|
|
125
|
+
verify_account
|
|
126
|
+
if verify_account_set_password?
|
|
127
|
+
set_password(password)
|
|
128
|
+
end
|
|
129
|
+
remove_verify_account_key
|
|
130
|
+
after_verify_account
|
|
131
|
+
end
|
|
117
132
|
|
|
118
|
-
|
|
119
|
-
|
|
133
|
+
if verify_account_autologin?
|
|
134
|
+
update_session
|
|
135
|
+
end
|
|
136
|
+
|
|
137
|
+
session[verify_account_session_key] = nil
|
|
138
|
+
set_notice_flash verify_account_notice_flash
|
|
139
|
+
redirect verify_account_redirect
|
|
120
140
|
end
|
|
121
141
|
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
redirect verify_account_redirect
|
|
142
|
+
set_error_flash verify_account_error_flash
|
|
143
|
+
verify_account_view
|
|
125
144
|
end
|
|
126
145
|
end
|
|
127
146
|
|
|
@@ -194,6 +213,11 @@ module Rodauth
|
|
|
194
213
|
"<p><a href=\"#{prefix}/#{verify_account_resend_route}\">Resend Verify Account Information</a></p>"
|
|
195
214
|
end
|
|
196
215
|
|
|
216
|
+
def create_account_set_password?
|
|
217
|
+
return false if verify_account_set_password?
|
|
218
|
+
super
|
|
219
|
+
end
|
|
220
|
+
|
|
197
221
|
private
|
|
198
222
|
|
|
199
223
|
attr_reader :verify_account_key_value
|
data/lib/rodauth/version.rb
CHANGED
data/spec/verify_account_spec.rb
CHANGED
|
@@ -55,6 +55,51 @@ describe 'Rodauth verify_account feature' do
|
|
|
55
55
|
page.current_path.must_equal '/'
|
|
56
56
|
end
|
|
57
57
|
|
|
58
|
+
[false, true].each do |ph|
|
|
59
|
+
it "should support setting passwords when verifying accounts #{'with account_password_hash_column' if ph}" do
|
|
60
|
+
rodauth do
|
|
61
|
+
enable :login, :create_account, :verify_account
|
|
62
|
+
account_password_hash_column :ph if ph
|
|
63
|
+
verify_account_autologin? false
|
|
64
|
+
verify_account_set_password? true
|
|
65
|
+
end
|
|
66
|
+
roda do |r|
|
|
67
|
+
r.rodauth
|
|
68
|
+
r.root{view :content=>""}
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
visit '/create-account'
|
|
72
|
+
fill_in 'Login', :with=>'foo@example2.com'
|
|
73
|
+
fill_in 'Confirm Login', :with=>'foo@example2.com'
|
|
74
|
+
click_button 'Create Account'
|
|
75
|
+
page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
|
|
76
|
+
|
|
77
|
+
link = email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com')
|
|
78
|
+
visit link
|
|
79
|
+
fill_in 'Password', :with=>'0123456789'
|
|
80
|
+
fill_in 'Confirm Password', :with=>'012345678'
|
|
81
|
+
click_button 'Verify Account'
|
|
82
|
+
page.html.must_include("passwords do not match")
|
|
83
|
+
page.find('#error_flash').text.must_equal "Unable to verify account"
|
|
84
|
+
|
|
85
|
+
fill_in 'Password', :with=>'0123'
|
|
86
|
+
fill_in 'Confirm Password', :with=>'0123'
|
|
87
|
+
click_button 'Verify Account'
|
|
88
|
+
page.html.must_include("invalid password, does not meet requirements (minimum 6 characters)")
|
|
89
|
+
page.find('#error_flash').text.must_equal "Unable to verify account"
|
|
90
|
+
|
|
91
|
+
fill_in 'Password', :with=>'0123456789'
|
|
92
|
+
fill_in 'Confirm Password', :with=>'0123456789'
|
|
93
|
+
click_button 'Verify Account'
|
|
94
|
+
page.find('#notice_flash').text.must_equal "Your account has been verified"
|
|
95
|
+
page.current_path.must_equal '/'
|
|
96
|
+
|
|
97
|
+
login(:login=>'foo@example2.com', :password=>'0123456789')
|
|
98
|
+
page.find('#notice_flash').text.must_equal 'You have been logged in'
|
|
99
|
+
page.current_path.must_equal '/'
|
|
100
|
+
end
|
|
101
|
+
end
|
|
102
|
+
|
|
58
103
|
it "should support autologin when verifying accounts" do
|
|
59
104
|
rodauth do
|
|
60
105
|
enable :login, :create_account, :verify_account
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
#{rodauth.csrf_tag}
|
|
4
4
|
#{rodauth.render('login-field')}
|
|
5
5
|
#{rodauth.render('login-confirm-field') if rodauth.require_login_confirmation?}
|
|
6
|
-
#{rodauth.render('password-field')}
|
|
7
|
-
#{rodauth.render('password-confirm-field') if rodauth.require_password_confirmation?}
|
|
6
|
+
#{rodauth.render('password-field') if rodauth.create_account_set_password?}
|
|
7
|
+
#{rodauth.render('password-confirm-field') if rodauth.create_account_set_password? && rodauth.require_password_confirmation?}
|
|
8
8
|
#{rodauth.button(rodauth.create_account_button)}
|
|
9
9
|
</form>
|
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
<form method="post" class="rodauth form-horizontal" role="form" id="verify-account-form">
|
|
2
2
|
#{rodauth.verify_account_additional_form_tags}
|
|
3
3
|
#{rodauth.csrf_tag}
|
|
4
|
+
#{rodauth.render('password-field') if rodauth.verify_account_set_password?}
|
|
5
|
+
#{rodauth.render('password-confirm-field') if rodauth.verify_account_set_password? && rodauth.require_password_confirmation?}
|
|
4
6
|
#{rodauth.button(rodauth.verify_account_button)}
|
|
5
7
|
</form>
|
|
6
8
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rodauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.15.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jeremy Evans
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2018-01-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: sequel
|
|
@@ -244,6 +244,7 @@ extra_rdoc_files:
|
|
|
244
244
|
- doc/release_notes/1.12.0.txt
|
|
245
245
|
- doc/release_notes/1.13.0.txt
|
|
246
246
|
- doc/release_notes/1.14.0.txt
|
|
247
|
+
- doc/release_notes/1.15.0.txt
|
|
247
248
|
files:
|
|
248
249
|
- CHANGELOG
|
|
249
250
|
- MIT-LICENSE
|
|
@@ -278,6 +279,7 @@ files:
|
|
|
278
279
|
- doc/release_notes/1.12.0.txt
|
|
279
280
|
- doc/release_notes/1.13.0.txt
|
|
280
281
|
- doc/release_notes/1.14.0.txt
|
|
282
|
+
- doc/release_notes/1.15.0.txt
|
|
281
283
|
- doc/release_notes/1.2.0.txt
|
|
282
284
|
- doc/release_notes/1.3.0.txt
|
|
283
285
|
- doc/release_notes/1.4.0.txt
|